TSB, the Co-operative Bank and Lloyds have been told to “urgently address potential loopholes” in their online security arrangements that could leave people vulnerable to scammers, new research has found.
It comes as Which? assessed the apps and websites of 13 checking account providers in January and February 2024, with the help of computer security experts.
Researchers from the consumer group tested the security of banking websites and apps in the areas of login procedures, security best practices, account management and navigation and logout.
However, they were unable to test banks’ back-end security systems.
While all companies in the survey use multi-layered security that helps reduce the chance of major security breaches, Which? said it believes some providers who finished at the bottom of the rankings did not meet the standards customers should expect.
UK banks have been rated ‘unsafe’ for online and mobile security
TSB
TSB received a score of 54% for mobile app security and 67% for online security – the lowest and second lowest scores respectively.
Which? said the way the bank handled sensitive data meant it could be read by other apps on the phone. The consumer group raised concerns that the app stores users’ login credentials in a way that makes it more likely that other apps can access it.
TSB told the consumer group that the matter is under investigation and a resolution “will be considered in the future”.
The bank also sent a phone number in a text message alert saying Which? said could be replicated by scammers.
TSB told Which?: “We have removed phone numbers from the vast majority of text message alerts, with this alert being the latest plan to update to remove the phone number.”
Concerns have also been raised about TSB’s password requirements, with it said users may choose insecure passwords that are easier for scammers to crack.
TSB said: “We continue to strengthen the security of our online and mobile banking services while providing a positive and convenient user experience for customers. This is reflected in our high ratings in the app store.”
Cooperative bank
Moreover: which one? placed the Co-operative Bank at the bottom of its online security survey, with a score of 61%.
In terms of the security of its mobile app, the Co-operative Bank came in second, with a score of 57%.
Which? said the bank failed to require two-factor authentication on a test laptop and did not prevent customers from setting weak passwords.
Researchers could log in from two different IP addresses simultaneously without terminating the older session, and as with TSB, phone numbers were still included in alerts and security codes sent via SMS.
The Co-operative Bank commented: “The security of our customers’ accounts is always our top priority. Customers can rest assured that we have robust security measures in place to protect them and their money.
“We are continually reviewing and improving our security controls and we will be making a number of further improvements in 2024 to give our customers the peace of mind that they can continue to bank safely with us.”
Do you bank with TSB? (Image: Aaron Chown/PA)
Which? said it is calling on TSB and the Co-operative Bank to urgently address the issues its investigators have discovered.
Lloyd’s Bank
Meanwhile, Lloyds did not log out website users after five minutes of inactivity. The bank told Which? that this makes transactions easier for vulnerable customers.
A spokesperson for Lloyds Banking Group added: “Helping our customers’ money and data stay safe is our priority and we have robust, multi-layered security across our online and mobile banking services to protect us from potential cyber security threats.
“We employ world-class cyber security experts and continually invest to provide the right balance between online security measures, customer experience and accessibility.
“Although Lloyds Banking Group is written into Payment Systems Regulator regulations for secure customer authentication, it has made regulators aware that we would not enforce this on payments and login, given the considerations for vulnerable customers and businesses that may be operating for longer than that period required to complete the transaction.
“Logins from new devices are verified through secondary authentication on customers’ registered phones to establish trust for all devices used. That’s why there are no devices that customers don’t trust.”
Starling Bank, NatWest/RBS and HSBC rated ‘safest’ for online and mobile security
Starling Bank and NatWest/RBS topped the list according to Which? for online security, with both achieving a score of 87%.
The highest ranked bank for mobile app security was HSBC, with a score of 78%.
HSBC scored solid scores for both the app and website, and researchers found no issues with logging out or navigation. Which? said.
In our 22 years as a Premier League partner we have seen some great title runs ⚽
Who do you think will lift the 2023/2024 trophy?
— Barclays Bank (@Barclays) April 23, 2024
Barclays came in second in the mobile app rankings, with a score of 74%, but which one? found that it had not fixed website management issues it identified last year, such as allowing users to access accounts from multiple browsers, IP addresses or devices at the same time.
The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking and plans to add this extra layer of protection later this year.
Recommended reading:
Sam Richardson, deputy editor of Which? Money said: “With many people increasingly banking online or on their phones, it is crucial that the banks we trust with our money have good security in place.
“While our investigation did not reveal any major security issues, there were some areas of concern that we believe the banks in question need to urgently address so that sophisticated scammers cannot use loopholes to target innocent victims.
“With fraudsters still ruthlessly pursuing our money and a general election looming, the next government must make the fight against fraud a national priority, with a Fraud Minister appointed to work across multiple government departments.”